Sidecar-based installation types

In a Kubernetes cluster, Operators can be deployed in different modes concerning the namespace setup. The default installation mode for Airlock Microgateway is AllNamespaces with a single Operator managing all web application Pods with SidecarGateways in a cluster. This is the only installation mode that can be used with the Community edition license.
For a production environment, multi-namespace installations are commonly used where Airlock Microgateway Operator can watch and operate web application Pods installed in multi-namespace setups. This allows, i.e., to separate production from staging and development.

Info

To achieve an optimum level of segregation and low memory consumption of the Operator, we recommend using a static rather than a dynamic MultiNamespace installation.

The installation modes can be configured via the Microgateway Operator Helm chart by setting the operator.watchNamespaces and operator.watchNamespaceSelector values.

Cluster-scoped installation modes

Role-based access control (RBAC) is created cluster-scoped (using ClusterRoles and ClusterRoleBindings) in the respective cluster for the following installation modes:

AllNamespaces (default)	Dynamic MultiNamespace
In a simple AllNamespace installation mode, the Airlock Microgateway Operator and web application Pods with SidecarGateways can be deployed in multiple separate namespaces.	In a dynamic MultiNamespace installation mode, the Airlock Microgateway Operator and web application Pods with SidecarGateways are deployed in multiple separate namespaces.

The Operator watches all namespaces. `watchNamespaces` and `watchNamespaceSelector` are not configured. This mode is limited to a single Operator that watches all namespaces.	The Operator watches multiple namespaces where the `watchNamespaceSelector` matches the labels. For more information, see the Kubernetes label selectors documentation. You can use `--set-json` to set JSON values (scalars/objects/arrays) from the command line, see Helm install documentation. `matchLabels` and `matchExpressions` are supported. Namespaces can dynamically be added and removed from the watch scope by changing their labels. Restarting the application pods is required to complete the action. Restarting the Operator Pod is not required. If several Operators are deployed, the administrator must ensure that namespaces exclusively match only one of the Operators. The `watchNamespaces` list must be left empty. This mode requires a Premium edition license.

Namespace-scoped installation modes

Role-based access control (RBAC) is created namespace-scoped (using Roles and RoleBindings) in the respective namespaces for the following installation modes:

Static MultiNamespace	SingleNamespace	OwnNamespace
In a static MultiNamespace installation mode, the Airlock Microgateway Operator and web application Pods with SidecarGateways are deployed in multiple separate namespaces.	In a SingleNamespace installation mode, the Airlock Microgateway Operator and one or more web application Pods with SidecarGateways are deployed in two separate namespaces.	In an OwnNamespace installation mode, the Airlock Microgateway Operator and one or more web application Pods with SidecarGateways share a single namespace.

The Operator watches multiple namespaces according to the `watchNamespaces` list. The `watchNamespaces` list contains multiple namespaces that the Operator should watch. If several Operators are deployed, the administrator must ensure that namespaces exclusively match only one of the Operators. The `watchNamespaceSelector` list must be left empty. This mode requires a Premium edition license.	The Operator watches a single namespace according to the `watchNamespaces` list. The `watchNamespaces` list must contain the single namespace of the SidecarGateway resource. If several Operators are deployed, the administrator must ensure that namespaces exclusively match only one of the Operators. In this mode, the Helm test to verify the installation is not available. The test deployment must be disabled `--set tests.enabled=false`. The `watchNamespaceSelector` list must be left empty. This mode requires a Premium edition license.	The Operator watches all web application Pods with SidecarGateway in his namespace. The Operator namespace must be added to the `watchNamespaces` list. The `watchNamespaceSelector` list must be left empty. This mode requires a Premium edition license.

Finding the most suitable installation mode

Use cases	Installation mode
Multiple projects within an organization Companies often have multiple projects under development simultaneously. Multi-namespace allows you to organize these projects independently without conflicts between resources. Testing and staging environments Create separate namespaces for testing and staging environments to ensure that changes made in one environment do not affect the other. Upgrade scenario Run different Airlock Microgateway versions in the same Kubernetes cluster.	Static/Dynamic MultiNamespace
Multiple tenants in a shared cluster In a shared cluster, you can use different namespaces for each tenant, providing an extra layer of isolation between them. The recommended installation mode is static MultiNamespace.	Static MultiNamespace
Self-contained installations Installation mode OwnNamespace allows simple, namespace-scoped installations.	OwnNamespace

Further information and links

Internal links:

Installation, upgrade and uninstallation

External links: